If you've been following the news over the last two weeks, or if your guilty pleasure is binge watching Game of Thrones, then you’ve likely heard about the latest media hack and subsequent blackmailing that has lit up the internet: HBO and the hack of their extremely popular program Game of Thrones (GoT). With the help of our darknet analysts, OWL Cybersecurity has been watching the evolution of the saga and has been monitoring the email addresses, credentials, and data that has been released online every Sunday since the end of July.

It is important to note that while the HBO breaches have clearly been intensifying over the last couple of weeks, this is not the first time the network has found itself under attack by hackers. The whole saga can actually be traced back over several years, which our analysts have helpfully timelined out here.

The following is a comprehensive overview of the recent HBO breaches.

Hi to all mankind. The greatest leak of cyber space era is happening. What’s its name? Oh I forget to tell. Its HBO and Game of Thrones……!!!!!! You are lucky to be the first pioneers to witness and download the leak. Enjoy it & spread the words. Whoever spreads well, we will have an interview with him. HBO is falling…

— The original message from Hackers who are allegedly holding HBO Media under ransom

What we know (the latest)

The hacking group, who remains unidentified, alleges to have penetrated the HBO media conglomerate’s network, an effort 6 months in the making, and harvested an estimated 1.5TB of data. The hackers also claim they spend nearly $500,000 USD a year purchasing so called zero-day exploits that let them break into networks through holes not yet known to Microsoft and other software companies. To put that in perspective, the Sony hack by Lazarus Group in 2014 only garnered 200GB of data -- the HBO hack is over seven times the size of the Sony breach.

The hackers have requested over $7M USD as ransom for the data and to turn off their campaign, reportedly to cover 6 months of their $12-13M USD yearly salaries. While HBO originally said they had not been communicating with the hackers, the hackers released an email from an HBO executive (name redacted) stating they had asked at the end of July for a week to establish a cybercurrency account and pull together $250,000 USD in bitcoin as a “bounty payment.”

Thus far, the group has leaked scripts to HBO television shows, several dozen personal emails and social media account information from executives, personal phone numbers and address for three Game of Thrones actors, and entire unaired episodes of shows, including three episodes of Game of Thrones, two episodes of Insecure, pilot episodes to the upcoming series The Deuce and Barry, two episodes of the upcoming season of Curb Your Enthusiasm, to name a few.

How we Got here

23 JULY 2017

On July 23 of this year, the domain www.winter-leak.com was established using IP address 104.28.9.135, located San Francisco, CA. On 2 August, Game of Thrones scripts, along with episodes of Insecure and Barry appeared on the site which did not remain up for very long. The IP of the domain has since changed to 89.38.97.131, located in Dublin, Ireland, and is currently not accepting ping or http requests.

Now, while the hackers have a strategic approach to their psychological warfare against HBO executives, with intent of releasing new content every week, the HBO story became doubly confusing when additional episodes of Season 7 were released by a user on reddit user with handle, zmax87 early last week.

After piecing more of the story together it appears as though, this user obtained the episode via HBO’s India-based distribution partner, Star India. The episode was leaked online in a low-quality format, and included a “For Internal Viewing Only” watermark.

15 AUGUST 2017

On Tuesday, 15 August, Indian police managed to arrest four in conjunction to this unauthorized episode release. According to police, three of the accused work for Prime Focus Technologies, a Mumbai-based company that processes the series for Indian streaming website Hotstar. The fourth is a former employee. (Reference)

7 AUGUST 2017

A week after the first reports of the HBO hack surface, “Kind Mr. Smith” emailed again releasing a “2nd wave” of HBO content, including 10 files containing more scripts of GoT and legal documents, budgets and phone numbers and email addresses of top HBO executives and actors. One document appears to contain the confidential cast list for Game of Thrones, listing personal telephone numbers and email addresses for actors such as Peter Dinklage, Lena Headey and Emilia Clarke.

Screen capture of the files included in HBO Hack - 2nd Wave

HBO’s response was quick, responding in an exclusive with Variety on the 10th of August, suggesting that the hack is not as extensive and that hackers manipulated the data file “Richard Contact list.txt” as it contains only internal domain email addresses and not representative of his actual email address book.

13 AUGUST 2017

As with any cat and mouse game, the hackers responded shortly after with first two episodes of Season 9 of Curb Your Enthusiasm appearing online on the evening of 13 August. The Season is not set to premiere until sometime in October of this year.

14 AUGUST 2017

Hi to all! This is the third wave of HBO ‘s Leak.Enjoy it!** email me and receive the url of leak **Mr. SmithIf history repeats itself, HBO may never be the same again. Winter Really is here.HB-Old is dying ......

— Content of 3rd email from HBO Hackers

A week after the 2nd release, the hacker’s third email appeared, with subject: HBO Leak, 3rd Wave, this time much more verbose than the first, and the body of the message included links to more HBO episodes of "Arliss," "Ballers," "Barry," "Curb Your Enthusiasm," "Felipe," "Insecure," "Latino," "Room 104" and "The Deuce.

Since the previous wave, the original ransom video the hackers sent the HBO CEO had surfaced, consisting of a wordy letter scrolling across the screen for over 5 minutes with ominous, dramatic music in the background.

The english and grammar are poor, suggesting they do not likely originate from an english-speaking country, but it is speculation at this point. The note provides interesting insight into the mindset of this hacking group and possibly some of the dialogue that HBO has had with the group over the course of the breach.

Our motives isn’t political nor financial. (Even we hate trump like other Americans do) Its like a game for us, we enjoy to get data. Money isn’t our main purpose.

(my colleagues argue with me about details given to you and length of this letter, but as there will be very few emails between us, I must assure you about what we have, what will be confronting you and what should be paid to settle down everything!!)

We honestly share what we got with you and frankly bring you our demand. We are white hat hackers and it’s very shameful if you compare us with some noisy & amateur blackhat ones like Darkoverload. You will see in future steps in our operation that we fulfill any promises made and any given word.

The answer is simple: we are white-hat. You must trust us. The HBO is our 17th Target. Only 3 of our past targets refused to pay and were punished very badly and 2 of them collapsed entirely.

— Excerpt from ransom letter from "Kind Mr. Smith" to HBO Executives

Based on the text in question, our analysts have noted the following:

English is not their primary language or was poorly translated to generate the ransom note’s content.

The hacking operation was not conducted by a single “Mr. Smith.” The writer references “colleagues” more than once throughout the video.

They refer to themselves as “white-hat” and IT professionals and view their operation as a huge Pentest (penetration test or network vulnerability assessment).

They disdain authorities and law enforcement, threatening more severe consequences if the FBI or their IT are involved.

15 AUGUST 2017

On Tuesday night, Game of Thrones returned to the headlines as Episode 6 of Season 7 was accidently released five days ahead of its premiere on HBO European affiliates, HBO España and HBO Nordic for one hour to its subscribers before being removed. On the internet, 60 minutes was ample enough time for it to be ripped and shared. Footage from the episode immediately shared on Reddit via YouTube, Instagram, Twitch and other streaming services, before swiftly being taken down by HBO.

16 AUGUST 2017

On Wednesday evening, HBO’s Game of Thrones account on Twitter was suddenly compromised with an ominous tweet from calling themselves “OurMine.” The poorly punctuated tweet alluded to their security test of the HBO network and suggested the HBO team contact them at ourmine.org to upgrade.

While HBO was able to quickly regain control of its social media pages, it prompted interest in the hacking group called “OurMine.” OurMine refers to themselves as a security group and are known for targeting the tech elite. In November 2016, they famously hacked the social media accounts of Facebook founder, Mark Zuckerberg. In a 2016 interview with WIRED, one anonymous member of the group insisted that OurMine's string of tech exec embarrassments is simply its way of teaching us all a helpful lesson. "We don't need money, but we are selling security services because there is a lot [of] people [who] want to check their security," he wrote in less-than-perfect English, declining to offer his name or the location of what he described as OurMine's three-person team. "We are not blackhat hackers, we are just a security group...we are just trying to tell people that nobody is safe."

OurMine Website built by Kobalt Development

The similarity of the language of Mr. Smith’s team is not loss on analysts here at OWL Cybersecurity. In addition to targeting social media accounts, OurMine Security also went after Buzzfeed, in late 2016, defacing several posts to read “Hacked by OurMine” after Buzzfeed published an article linking the OurMine group to a Saudi Arabian teenager using the name Ahmad Makki on social media. Of course, OurMine denied the allegations, and claimed that Makki was only a "fan" of the group’s work. Earlier this year, OurMine Security was busy targeting youTube’s network Omnia Media and Studio 71, by exploiting a vulnerability in youTube’s API allowing them to deface the titles of over 300 popular channels overnight.

From our analysis, it appears that OurMine’s high-profile social media account infiltration success relies within two critical areas: (a) access to some Twitter and Facebook accounts were obtained within the URL Shortener and Link Management Platform, called Bitly that is used by some of the most popular social media sites such as Facebook and Twitter and (b) reuse of passwords, in particular with Google CEO Sundar Pichai, whose gmail account has been seen for offer on the Darknet and crawled by OWL Cybersecurity’s darknet data engine, OWL Vision.

The identity of OurMine is still unknown and the only name connected with the website is Cole Fortson of Kobalt Development who is credited with building their website. Earlier this year, around the same time as the youTube attacks, the young entrepreneur and website developer from Fort Worth, Texas publicly disassociated with the hacking group on social media.

At the same time as the social media hack was occurring, Mr. Smith and his colleagues accelerated their data leaks and released the 4th Wave of HBO content which included everything from Westworld Season 2 shooting schedules to 27 separate Game of Thrones Season 7 "shooting [diaries].”

If history repeats itself, HBO may NEVER be the same Again. Winter Really is here

— Email from 4thWave of HBO Leaks

While it is entirely plausible OurMine Security is the same collection of Mr. Smith’s white-hat hackers who infiltrated HBO, there is insufficient evidence to link them definitively at this time. The only identifiable information for the HBO hackers is the email address in the original correspondence with HBO, little.finger66@qq.com. The alias "little.finger" is an intentional allusion to the GoT character, but unfortunately, there is no reference to this email address in the Darknet or across open-source surface web and deep web searches.

qqmail login screen in Madarin

Further investigation revealed "qqmail" is a Chinese email service created to give residents of China alternatives to sites and services that are banned in the country due to political oppression. That doesn’t mean that the hacker using this address originated in China, as qqmail is growing in popularity across Asia, especially among people who have business partnerships in China, participate in multi-cultural communications, e.g. penpals, or who want to find someone to practice their Chinese with. It does support that the hacker is not likely from the US or western.

While it is tempting to go download the illegally acquired and released GoT episodes, do not foolishly visit torrent downloading or video streaming sites. Many of these sites are laden with malware, such as Cerber ransomware and will flood your computer with malicious codes potentially compromising your personal information or rendering your computer completely inoperable.

Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.